Peer Review Service Organization Control (SOC) Specialist

A specialist who meets the criteria established by the AICPA may be approved to assist peer review teams to review SOC 1, 2, or 3 engagements. When a specialist is used, the team captain, as always, is responsible for supervising and conducting the review, communicating the review team’s findings to the reviewed firm and administering entity, preparing the report on the review, and ensuring that peer review documentation is complete and submitted to the administering entity on a timely basis. The team captain should supervise and review the work performed by the specialist. The team captain will furnish instructions to the specialist regarding the manner in which materials and other notes relating to the review are to be accumulated to facilitate summarization of the review team’s findings and conclusions. The specialist may be required to be available or participate in the exit conference. The qualifications of SOC 1 or 2 specialists are as follows:

An individual serving as a SOC specialist on a peer review must be recommended as a specialist by a CPA who is a member of the AICPA in good standing and is associated with a firm that has received a report with a peer review rating of pass for its most recent System Review that was accepted timely, ordinarily within the last three years and six months. An individual serving as a specialist should, at a minimum,:

Be currently active in public practice at a supervisory level for managing SOC 1 and/or SOC 2 examinations. To be considered currently active, a specialist should be presently involved in the SOC practice of a firm supervising one or more of the firm’s SOC engagements.

Be associated with a firm (or all firms if associated with more than one firm) that has received a report with a peer review rating of pass[1] for its most recent System Review that was accepted timely, ordinarily within the last three years and six months.[2]

Not be associated with an engagement that was deemed not performed or reported on in accordance with professional standards in all material respects on the specialist’s firm’s most recently accepted peer review.

Possess current knowledge of professional standards applicable to SOC 1 and/or SOC 2 examinations, including Type 1 and Type 2 reports, qualified and unqualified reports, carve in/carve out engagements, and engagements with and without relevant user entity controls.

Have spent the last five years in the practice of public accounting with a minimum of 500 hours of SAS 70/SOC 1 and/or SysTrust/SOC 2 examinations.

Have provided the administering entity with information that accurately reflects the qualifications of the specialist, which is updated on a timely basis.

To become an approved specialist:The specialist candidate should complete a peer reviewer resume in PRIMA. If the specialist is not an AICPA, and does not have a user account, the specialist should access the instructions from Getting Started in PRIMA to create an account.

If you have any questions, please contact the AICPA Peer Review technical hotline at (919) 402-4502 or at prptechnical@aicpa.org.

[1] A peer review report with a rating of pass was previously referred to as an unmodified report (with or without a letter of comments). If a firm’s most recent peer review rating was a pass with deficiencies or fail, the firm’s members are not eligible to perform peer reviews.[2] If a firm’s most recent review was a report review, then the firm’s members are not eligible to perform peer reviews.